Seldom in recent history has a cyber security event caused so much media stir (maybe because it happened to a media company?) and international relations upheaval. Cyber security breaches seem to take place daily of major corporations, but the Sony hack seems to have captured the American imagination and, for that matter, the whole world's attention.

Maybe it was the salacious details in the released emails of the interaction between the studio and its stars. Or, maybe it was the American public's feelings of being wronged by a petty dictator. Whatever the reason, the Sony hack has captured the fancy and attention of the public like none other.

Soon after the hack, the FBI "conclusively" determined that the attack came from North Koreans and reported to the President and the American public as such. For my part, I have many reservations about that conclusion.

Last week, I wrote about my observations on the Sony hack, and in that article, I simply recounted the thoughts that had bounced around my head. Now that I have had more time to examine the evidence and congeal my assessment, I feel compelled to tell you that I have serious doubts that this hack was committed by North Korea. Probably, more accurately, I have serious doubts that the evidence the FBI has cited points to North Korea.

Let me tell you why.

There Was No Immediate North Korean Connection

The hacker group, "Guardians of Peace," made no reference to the movie The Interview or North Korea, initially. Only after the media began to speculate that the motive of the attacker was regarding the movie did the hackers mention it. It appears that the attackers were happy to deflect the investigation away from themselves.

If you were the hacker and everyone wanted to blame North Korea instead of you, wouldn't you be smart to run with that scenario?

The Evidence Was Circumstantial

As I mentioned in my earlier article, in most of these types of cases, the fingerprint of the hacker is found through examining the malware. This "fingerprint" is only circumstantial evidence, meaning that it is far from conclusive, but it can infer the identity of the attacker. It examines the pieces and modules of the malware and attempts to trace it backward to the perpetrator. In essence, it looks for re-used code and who may have used it in the past to infer who last used it. Imperfect at best, inconclusive at worst.

"Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.

"Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea."

The modules that the FBI cites in their report could have been used by anyone. They cite the use of the Shamoon attack that was used against Saudi Arabia in 2012 and South Korea in 2013 and has been available on the malware black market to any hacker for the last two years. Just because a piece of malware was used in similar hacks, it in no way means that the attackers were the same. Any hacker could have acquired this malware in the last two years and used it in this security breach at Sony.

They Cited Well-Known Proxy IP Addresses

The FBI cites cites numerous IP addresses that the attackers used in their attacks on Sony. They note that other attacks that have been traced back to North Korea also have used these same IP addresses. When one examines these IP addresses, you find that they are the IP addresses of well-used proxies that many attackers use.

"The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack."

They cite several IP addresses that the attackers used. These include:

202.131.222.102 in Thailand

217.96.33.164 in Poland

88.53.215.64 in Italy

200.87.126.116 in Bolivia

58.185.154.99 in Singapore

212.31.102.100 in Cyprus

These IP addresses belong to well-known proxies (as discussed in this article) that any attacker could and will use to attack a target. Far from conclusive evidence that North Korea was involved.

The Speed of the File Transfer Was Fast

In my earlier article, I puzzled over the speed by which the attackers were able to transfer 100TB of data. Given the poor Internet architecture of North Korea, such a download would have taken weeks. One has to conclude that the attack took place from a location outside of North Korea.

Even if the attack originated from outside of North Korea, moving 100TB is no trivial task. If you've ever downloaded a large file, say a 2GB movie or 4GB operating system, you know that it can take hours. Now, imagine moving files 5,000 times larger! Either the hacker had a very high-speed connection to Sony, the Sony security apparatus was asleep at the wheel, or the hack was an inside job.

The Language Clues Point Toward Another Country

The cyber security firm, Taia Global based in Israel, conducted a linguistic analysis of the attackers language and syntax. Often, when one language is translated to another, the translator will use syntax and constructs that are part of their native language, but not in the target language. That is why poor translations can sound so stilted. This can provide clues as to the language of the original document or the translator or both.

Taia reportedly tested the translations for clues from the following languages:

Mandarin

Chinese

Russian

German

Korean

They concluded that translation was not from an original written in Korean, but most probably, Russian.

Evidence Supports a Possible Inside Job

Another cyber security firm, Norse, has done an investigation based upon Sony's employee records that were released by the hackers. Norse used some good old detective work to scan the leaked documents and search for employees who might have had motive to hack Sony, access to the system, and technical expertise to pull it off.

After reviewing these records, they claim that they have identified six individuals whom they think might have been involved in the hack. The individuals identified were based in the U.S., Canada, Thailand, and Singapore. One of these employees, code named Leena, was laid off in May and was involved a technical role with Sony before being let go.

Several of these employees expressed resentment on social media toward Sony for their dismissal. The Daily Caller reported:

"After examining intercepted communications of other individuals engaged in contact with hacker and hacktivist groups in Europe and Asia (where the Sony hack was routed through), Norse connected one of those individuals with the Sony employee on a server that featured the earliest-known version of the malware used against Sony."

So, Did North Korea Really Pull This Off?

For all of the reasons above, I am very skeptical of the conclusion that North Korea hacked Sony. All of the evidence cited by the FBI is inconclusive and cannot be used to point the finger to any one nation or individual. Some of the evidence cited by the FBI is sophomoric—even laughably so—as a grounds for pointing a finger at North Korea. I do, however, withhold judgement as they or the NSA may have evidence that they are not sharing, but what they are sharing is inconclusive, at best.

18 Comments

I really appreciate that you share your thoughts on this topic, as the point of view of an expert is always precious to me.

snipped reasoning

I want to point out my thoughts to, as today I joint the topic a little bit more, and I'm looking for answers or missing reasons in my mind:

-If FBI knows (because at this point, they do) that the informations cited are inconclusive, why did they publish them? It seems like they are trying to ask for evidence to the internet (as the linguistic analysis demonstrates, this includes not only the programming field) or just inducing people to think the way they want. What about their self, although pointless and totally inconclusive I know, but story is telling me this.

-The file transferring speed really looks like a topic that could lead to a conclusion (not sure if what you said is true, I'll be searching it in the next hour, but I'm assuming it is). Who first released this information and how (I'm just assuming Sony...?)?

-I can't see the point of locating the attack (my fault obviously). What if the organization behind was so big that it would be just useless? I mean,for this very serious topic I think that all the precautions were taken (although there's no perfect crime). You can't punish a chain of uninteresting people doing one little thing that brings to a hidden big organization. I'm sure I'm missing something (or just looking for confirm), although I know that operations like these happen every day and law always has to deal with them (my country has a pretty evident example, and I'm comparing it to that, that's why).

Thank you for anyone who will be answering and expanding this topic, I just wanted to share my thoughts too.Sorry for any unclear part and for some apparently senseless answers, I had to cut a lot of reasoning.And again sorry for the wall text.

It might sound like, but I'm not trying to say that this absolutely was not an inside job, although at first it sounded a bit strange to me, as it would require, as I pointed out in the last paragraph, too many people to run silently (again, just trying to make some points, I might be laughably wrong, as this idea is based upon another which is totally inconclusive, nothing to say about OTW's words, flawless as always).

thanks! and how did they get acess to the proxy chain they used? i mean, if they managed to discover the chain doesnt that mean they had do access the logs in each proxy to find out the next one? and if so, how come they didnt find out the true ip?

thats what i am saying. they knew the 6 proxys they used, but if they dont have logging how did they know the whole chain instead of just the last proxy that connect directly? (sorry for time taken ;p)

Ok now i get it! they did not discover those ips on the chain by searching on the "end" of the chain and uncovering the rest of the proxys on the chain. but rather the hackers during the attack connect using diferent proxys. thanks otw ;)

"In our experiment we encountered 3 types of Nodes; clean, malicious blackhat and malicious government. It was most likely the Government nodes redirecting traffic and sniffing for DarkMarket site info like usr/passwd login and different Blackhat Nodes were for sniffing banking&social media accounts logins. We recommend using at least one off-shore VPN or VPNchain/Proxychain that doesnt log in combination with the Tor Browser to completely encrypt all traffic."

Of course you can't access offline server using internet and that would make the best safety for secret information (that's exactly my point). I'm sure there is a reason behind this but I don't get why they mixed up all this kind of information (mails, movies, etc..) on online servers. Why not use an offline server as a safe ? With a backup from online to offline every given amount of time.

The only reason I see is the time it would take to any employee to access this offline server, then with equation time=money, it should be enough for some to make this server online... But seriously, 100 TB of secret information, comon...

GREETINGS ALL,First, thanks to OTW for the breakdown..That really explained a lot..

Second,seems pretty clear cut though...Publicity and Preparation for upcoming events was the cause of all this....We are being herded like cattle.....Steered in a predetermined direction....Question. Why are so many playing a blind eye on this? This is just another way of creating a panic to remove more of our freedoms....How about i send recommendations for a body shop, BEFORE I key your car?....WAKE UP!!!!!!!

Seems like the Xbox attack and some other strikes were launched by a group called "Lizard Sqad" (quoting Krebs on Security):

"A gaggle of young misfits that has long tried to silence this Web site now is taking credit for preventing millions of users from playing Sony Playstation andMicrosoft Xbox Live games this holiday season.

The group, which calls itself LizardSquad, started attacking the gaming networks on or around Christmas Day. "